Re: [exim-dev] CVE-2021-38371 (allows response injection dur…

Top Page
Delete this message
Reply to this message
Author: Harry Mills
Date:  
To: exim-dev
Subject: Re: [exim-dev] CVE-2021-38371 (allows response injection during MTA SMTP sending)
Hi Jeremy,

Thanks for the swift reply. Here is the (anonymised) output of the test
tool for reference. It looks like exim 4.94.2 (Centos 8) is not vulnerable:

python3 ./command-injection-tester --smtp <MAILSERVER>
SMTP: 2022-01-04 14:29:45 - INFO - Testing SMTP server at <MAILSERVER>:587
SMTP: 2022-01-04 14:29:45 - DEBUG - Logdir: ./logs, Comment:
commandinjectiontester, Timeout: 2
SMTP: 2022-01-04 14:29:45 - INFO - Sanity test...
SMTP: 2022-01-04 14:29:47 - TRACE - S: 220 <MAILSERVER> ESMTP Exim
4.94.2 Tue, 04 Jan 2022 14:29:45 +0000
SMTP: 2022-01-04 14:29:47 - TRACE - C: EHLO commandinjectiontester
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-<MAILSERVER> Hello
<MAILSERVER> [<MAILSERVER IP>]
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-SIZE 52428800
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-8BITMIME
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-PIPELINING
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-PIPE_CONNECT
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-CHUNKING
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-STARTTLS
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250 HELP
SMTP: 2022-01-04 14:29:49 - TRACE - C: NOOP
SMTP: 2022-01-04 14:29:51 - TRACE - S: 250 OK
SMTP: 2022-01-04 14:29:51 - TRACE - C: STARTTLS
SMTP: 2022-01-04 14:29:53 - TRACE - S: 220 TLS go ahead
SMTP: 2022-01-04 14:29:53 - DEBUG - <----- TLS Handshake ----->
SMTP: 2022-01-04 14:29:53 - TRACE - C: QUIT
SMTP: 2022-01-04 14:29:53 - TRACE - S: 221 <MAILSERVER> closing connection
SMTP: 2022-01-04 14:29:53 - INFO - Sanity test done
SMTP: 2022-01-04 14:29:53 - INFO - Testing for command injection...
SMTP: 2022-01-04 14:29:55 - TRACE - S: 220 <MAILSERVER> ESMTP Exim
4.94.2 Tue, 04 Jan 2022 14:29:53 +0000
SMTP: 2022-01-04 14:29:55 - TRACE - C: EHLO commandinjectiontester
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-<MAILSERVER> Hello
<MAILSERVER> [<MAILSERVER IP>]
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-SIZE 52428800
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-8BITMIME
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-PIPELINING
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-PIPE_CONNECT
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-CHUNKING
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-STARTTLS
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250 HELP
SMTP: 2022-01-04 14:29:57 - TRACE - C: STARTTLS
SMTP: 2022-01-04 14:29:57 - TRACE - C: EHLO commandinjectiontester
SMTP: 2022-01-04 14:29:59 - TRACE - S: 220 TLS go ahead
SMTP: 2022-01-04 14:29:59 - DEBUG - <----- TLS Handshake ----->
SMTP: 2022-01-04 14:30:01 - DEBUG - No response in encrypted context,
trying real command now ...
SMTP: 2022-01-04 14:30:01 - TRACE - C: FAKE commandinjectiontester
SMTP: 2022-01-04 14:30:03 - TRACE - S: 500 unrecognized command
SMTP: 2022-01-04 14:30:03 - INFO - Probably no command injection here!

Best wishes,

Harry

On 04/01/2022 14:00, Jeremy Harris via Exim-dev wrote:
> On 04/01/2022 11:11, Harry Mills via Exim-dev wrote:
>> We have a PCI DSS compliance failure for CVE-2021-38371, the details
>> page (linked from mitre.org site) gives a 404 and we cannot find any
>> other details on what this CVE refers to, or whether or not a fix is
>> available.
>>
>> We are running exim 4.94.2-2 from EPEL on Centos8.
>>
>> Any information would be very welcome.
>
> https://nostarttls.secvuln.info/ claims Exim is vulnerable, and that this
> was reported to us.  However, I'm not aware of any such report nor
> evidence.
>
> You could try the test tool linked from that page.


-- 
Harry Mills                                         Tel: 01749 812100
Managing Director                                   Mob: 07815 848818
Opendium Ltd.                                       www.opendium.com